#!/bin/bash

# Script based on captive portal script by http://www.andybev.com/

IPTABLES=/sbin/iptables

# Enable Internet connection sharing
echo "1" > /proc/sys/net/ipv4/ip_forward
echo "1" > /proc/sys/net/ipv4/ip_dynaddr

# clear out existing setting
$IPTABLES -P INPUT ACCEPT
$IPTABLES -F INPUT 
$IPTABLES -P OUTPUT ACCEPT
$IPTABLES -F OUTPUT 
$IPTABLES -P FORWARD DROP
$IPTABLES -F FORWARD 
$IPTABLES -t nat -F
$IPTABLES -t mangle -F
$IPTABLES -t filter -F


# Create and flush internet chain
# This is used to authenticate users who have already signed up
$IPTABLES -N internet -t nat 2>/dev/null
$IPTABLES -F internet -t nat

# accept all local traffic
$IPTABLES -t nat -A PREROUTING -i eth1 --destination 10.0.0.0/16 -j ACCEPT

# Send all traffic via internet chain
# At the prerouting NAT stage this will DNAT them to the local
# webserver for them to signup if they aren't authorised
# Packets for unauthorised users are marked for dropping later
$IPTABLES -t nat -A PREROUTING -j internet

# Drop invalid packets
$IPTABLES -t mangle -A PREROUTING -p tcp -i eth1 -m conntrack --ctstate INVALID -j DROP  # drop invalid connections

# Accept ping and ssh incoming FROM Internet networks
$IPTABLES -t filter -A INPUT -p icmp -i eth0 --icmp-type 8 -j ACCEPT
$IPTABLES -t filter -A INPUT -p ICMP -i eth0 --icmp-type 11 -j ACCEPT
$IPTABLES -t filter -A INPUT -i eth0 -p tcp --dport 22 -j ACCEPT
$IPTABLES -t filter -A INPUT -i eth0 -p tcp --dport 81 -j ACCEPT
$IPTABLES -t filter -A INPUT -i eth0 -m state --state ESTABLISHED,RELATED -j ACCEPT
$IPTABLES -t filter -A INPUT -i eth0 -j DROP

# accept NTP time requess
# we allow these for any PC regardless of whether they are logged
# on to the network because the Internet Suite PCs use NTP to set
# their clocks BEFORE they are authorised to use the Internet
$IPTABLES -t filter -A FORWARD -p UDP --dport 123 -j ACCEPT

# accept connections to allowed IPs / ports
awk 'BEGIN { FS="\t"; } { if ($1 != "") { system("'$IPTABLES' -I internet 1 -t nat --destination "$1" -p tcp --dport "$2" -j RETURN"); } }' /opt/wlan/data/public_ips


# Stop DoS attacks on DNS-BL
$IPTABLES -t filter -A FORWARD -i eth1 --destination 216.168.28.50 -j DROP



$IPTABLES -t mangle -A PREROUTING -i eth0 -j MARK --set-mark 40

# Accept any packets marked 99 here; they will be dropped later
# If they are re-marked then they will be allowed through

$IPTABLES -t mangle -A FORWARD -m mark --mark 99 -j ACCEPT


# Now that we've got to the forward filter, drop all packets
# marked 99 - these are unknown users. We can't drop them earlier
# as there's no filter table
$IPTABLES -t filter -A FORWARD -m mark --mark 99 -j DROP

# Do the same for the INPUT chain so that they also can't get to squid
# but allow them to the webserver to signup
$IPTABLES -t filter -A INPUT -p tcp --dport 80 -j ACCEPT

$IPTABLES -t filter -A INPUT -m mark --mark 99 -j DROP

###### INTERNET CHAIN ##########
# Allow authorised hosts in, redirect all others to login webserver
# Add known users to the NAT table to stop their dest being rewritten
# Ignore MAC address with a * - these users are blocked
# MAC address not found. Mark the packet 99

$IPTABLES -t nat -A internet -j MARK --set-mark 99

# Redirects web requests from Unauthorised users to logon Web Page
$IPTABLES -t nat -A internet -m mark --mark 99 -p tcp --dport 80 -j DNAT --to-destination 10.0.0.1

################################

# Force all traffic via web proxy to speed up some traffic and log access
$IPTABLES -t nat -A PREROUTING -i eth1 -p tcp --dport 80 -j REDIRECT --to-port 3128



# forward traffic with following ports:
awk 'BEGIN { FS="\t"; } { if ($1 != "") { system("'$IPTABLES' -A FORWARD -i eth1 -o eth0 -p tcp --dport "$1" -j ACCEPT"); } }' /opt/wlan/data/allowed_ports_tcp
awk 'BEGIN { FS="\t"; } { if ($1 != "") { system("'$IPTABLES' -A FORWARD -i eth1 -o eth0 -p udp --dport "$1" -j ACCEPT"); } }' /opt/wlan/data/allowed_ports_udp


# Enable Internet connection sharing
$IPTABLES -A FORWARD -i eth0 -o eth1 -m state --state ESTABLISHED,RELATED -j ACCEPT

# DROP all other traffic
$IPTABLES -A FORWARD -i eth1 -o eth0 -j DROP
$IPTABLES -t nat -A POSTROUTING -o eth0 -j MASQUERADE


# add pass through for allowed MAC-adresses
awk 'BEGIN { FS="\t"; } { if ($1 != "") { system("'$IPTABLES' -I internet 1 -t nat -m mac --mac-source "$1" -j RETURN"); } }' /opt/wlan/data/allowed_macs
